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Abstract — The evolution that one can see in e-commerce, with 
the internet playing the main role as the best way to implement 
information and communication channels, to make the 
electronic transactions more effective, linking extranets and 
extending intranets to a commercial partnership environment 
has produced impact on what regards internal control. 
According to the specific characteristics of the Internet, the 
path taken by a transaction is not easily predictable nor is it 
possible to assure the security of all systems that participate in 
an electronic commercial transaction performance. Taking in 
consideration what has been said above, it is impossible to 
guarantee a safe electronic commercial transaction 
environment, by using only technological components 
(firewalls, for instance). Therefore, we have to conclude the 
need for the implementation of risk based internal control 
systems, which take in consideration the new internal control 
pattern, when commercial transactions are to be made 
electronically. 

Index Terms — Ecommerce control, Control System 
Ecommerce. 

I. Introduction 

E-commerce or electronic commerce, is the process of buying 
and selling goods over the Internet. Other than buying and 
selling, many people use Internet as a source of information to 
compare prices or look at the latest products on offer before 
making a purchase online or at a traditional store. E- Business 
is sometimes used as another term for the same process. More 
often, though, it is used to define a broader process of how the 
Internet is changing the way companies do business, of the 
way they relate to their customers and suppliers, and of the 
way they think about such functions as marketing and 
logistics. 

II. E-COMMERCE BUSINESS MODEL & PROCESS 

A business model, that aims to use and leverage the unique 
qualities of the Internet and the World Wide 

Web. E-Commerce business models integrate the internet, 
digital communications and IT applications that enable the 
process of buying and selling. E-commerce business models 
are: 

1. B2C (Business to Consumer) 

2. B2B (Business to Business) 

3. B2G (Business to Government) 
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In this paper we shall consider that e-commerce consists of 
the act of rendering effective a commercial transaction, one 
that links two entities (customer and supplier), using the 
Internet as a technological platform to establish the 
information and communication channel between those two 
entities. An electronic commercial transaction has the same 
significance as the traditional commercial transaction, 
consisting of the satisfaction of a set of needs in exchange of 
equal value (Kornelius 1999), with the difference of using 
new communication and information technologies to make 
itself effective. 



Fig- 2. A commercial transaction consists of the satisfaction of a set of 
needs in exchange of an equal value. 

When two entities establish electronic commercial 
transactions among themselves, their information systems, 
plus the business processes that each of the entities perform 
separately, are no longer isolated, obviously. This is the result 
of the influence that each of the information systems and 
business processes of one of the entities has over its 
congeners of the other entity. Simultaneously, the systems 
that ender effective a channel of communication and 
information among two entities no longer function separately, 
working instead with the systems and internal business 
processes of each of the intervening entities. Besides what has 
been previously mentioned, every commercial transaction, 
both in the traditional format or performed using electronic 
mechanisms should contemplate the following items: 
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•Authentication - guarantee of the legal entity, singular or 
plural, with whom we are working; 

•Integrity - guarantee that the contents of the communication 
between both parts is not modified; 

•Confidentiality - guarantee that no one, non-authorized, 
either intentionally or not, has access to the contents of the 
communication 


m. INTERNAL Control 

It is commonly designated by internal control system the set 
of rules, policies and procedures (control mechanisms), 
involved in the management of business risk (Pathak 2003). 
A control mechanism helps an operational process to reach its 
aim without being, necessarily, part of the process, figure 2 
(O'Connel 1999). These mechanisms are resources that, if 
used adequately by the processes, perform the management of 
the risks associated to the processes and systems. 


Me cha_nJ kitts of Con mu I 
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Fig-3: The main business and support processes use control mechanisms 
external to the process. 


One says that a control is internal when it corresponds to a 
mechanism specifically connected to an entity or negotiated 
by two or more entities for common usage. This control can 
be an excellent tool to achieve an organization aims. 
However, its implementation should be supported by a 
coherent and consistent framework (Curtis and Wu 2000). 
The open nature of the internet makes the entities, involved in 
internet based electronic commercial process, vulnerable to 
intentional or no-intentional attacks. Thus, the 
implementation of internal control systems is vital, which 
will have as an aim the management of the inherent risks to 
inter-organizational systems that support real-time electronic 
transactions (Pathak 2003), based on the Net. 

The implementation of an inter-organizational control system 
is not common, due to the inexistence of a manager of the 
internet, which would establish the universal laws to be 
equally applied by all intervening entities. The potential 
existence of such one entity would largely restrain the 
creativity of the Net users, which gives the Net its incredible 
richness. 

The single nature of electronic commercial transactions, 
transverse both to the intra-organizational environment and 
the inter-organizational environment, is responsible for the 
non-restriction of the internal control system. Thus, it is 
applied not only to the intra-organizational control but also to 
the inter-organizational control, as one can see in figure 3. 
The intra-organizational control, when dealt with separately 
in the traditional commercial transactions, is extended in 
order to include the inter-organizational controls, which were 
taken in consideration separately in the traditionally 
transactions. 
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Fig-4: The internal control, when in an electronic commerce environment, 
includes the intra-organizational and inter-organizational control, both 
existing in a traditional commercial transaction perspective. 

Should the organizations think of cleaving to electronic 
commerce strategies, two main principles of internal control 
should be taken in consideration: the type of controls in the 
e-commerce sphere of action and the availability of the 
mentioned organizations on what regards having a specific 
framework which will help them in the implementation of an 
adequate internal control system (Osborne 1999). 

The adoption of a coherent and consistent framework that 
supports the effective implementation of an internal control 
system, based on the risk associated with the business 
processes and with the involved information systems, in the 
e-commerce sphere of action, should take in consideration the 
need to extend the intra-organizational environment of each 
of the involved entities to the inter-organizational 
environment (information and communication channel) that 
already exists between the above mentioned entities. This 
will be easily obtained among organizations that have already 
installed a coherent and consistent internal control system, 
supported by the same framework or not, with well defined 
internal control criteria 

Here are the five components of internal controls : 

•Control environment: This term refers to the attitude of the 
company, management, and staff regarding internal controls. 
Do they take internal controls seriously, or do they ignore 
them? Your client’s environment isn’t very good if, during 
your interviews with management and staff, you see a lack of 
effective controls or notice that previous audits show many 
errors. 

•Risk assessment: In a nutshell, you should evaluate whether 
management has identified its riskiest areas and implemented 
controls to prevent or detect errors or fraud that could result in 
material misstatements. For example, has management 
considered the risk of unrecorded revenue or expense 
transactions? 

•Control activities: These are the policies and procedures that 
help ensure that management’s directives are carried out. One 
example is a policy that all company checks for amounts 
more than $5,000 require two signatures. 

•Information and communication: You have to understand 
management’s information technology, accounting, and 
communication systems and processes. This includes internal 
controls to safeguard assets, maintain accounting records, and 
back up data. 

For example, to safeguard assets, does the client tag all 
computers with identifying stickers and periodically take a 
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count to make sure all computers are present? Regarding the 
accounting system, is it computerized or manual? If it’s 
computerized, are authorization levels set for employees so 
they can access only their piece of the accounting puzzle? For 
data, are backups done frequently and kept off-site in case of 
fire? 

•Monitoring: This component involves understanding how 
management monitors its controls — and how effective the 
monitoring is. The best internal controls are worthless if the 
company doesn’t monitor them and make changes when they 
aren’t working. For example, if management discovers that 
tagged computers are missing, it has to set better controls in 
place. The client may need to establish a policy that no 
computer gear leaves the facility without managerial 
approval. 

E-Commerce Internal Control Segregation of Duties 
Checklist 

1) Are responsibilities for collection and deposit preparation 
functions adequately segregated from those for recording 
cash receipts and general ledger entries? 

2) Are responsibilities for cash receipts functions adequately 
segregated from those for cash disbursements? 

3) Are responsibilities for disbursement preparation and 
disbursement approval functions adequately segregated from 
those for recording or entering cash disbursements 
information on the general ledger? 

4) Are responsibilities for the disbursement approval function 
adequately segregated from those for the disbursement, 
voucher preparation, and purchasing functions? 

5) Are responsibilities for entries in the cash receipt and 
disbursement records adequately segregated from those for 
general ledger entries? 

6) Are responsibilities for preparing and approving bank 
account reconciliations adequately segregated from those for 
other cash receipt or disbursement functions? 

7) If EDP is used, is the segregation of duties principle 
maintained within processing activities? 

Financial Reporting Segregation of Duties 

1) Are responsibilities for the final review and approval of 
financial reports adequately segregated from those for the 
preparation of the reports? 

2) Are responsibilities for maintaining the general ledger 
adequately segregated from those for maintaining subsidiary 
ledgers? 

3) Are responsibilities for maintaining the general ledger 
adequately segregated from those for the custody of assets? 

4) Are the responsibilities for preparation and approval 
functions adequately segregated from those for journal 
entries? 

5) If EDP is used, is the principle of segregation of duties 
maintained within processing activities? 

Electronic Data Processing Segregation of Duties 

1) Is the EDP department independent from the accounting 
and operating departments for which it processes data? 

2) Are duties within the data-processing function as 
adequately segregated as follows: 

a) Systems development (design and programming)? 
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b) Technical support (maintenance of systems software)? 

c) Operations? 

3) In smaller and mini-computer installations with limited 
opportunities for segregation of duties, do procedures for user 
departments provide the following controls: 

a) Utilization of batch or other input controls? 

b) Control of master file changes? 

c) Balance master files between processing cycles? 

4) Do personnel policies of the EDP function include such 
procedures as reference checks, security statements, rotation 
of duties, and terminated-employee security measures? 

Monitoring Internal Control Systems and IT 

Monitoring Internal Control Systems and IT provides useful 
guidance and tools for enterprises interested in applying 
information technology to support and sustain the monitoring 
of internal control. Guidance is provided for the design and 
operation of monitoring activities over existing IT controls; 
however, customization of the provided approaches 
reflecting the specific circumstances of each enterprise are 
required. 

The main goals/aims of this publication are to: 

•Complement and expand on the 2009 COSO Guidance on 
Monitoring of Internal Controls 

•Emphasize the monitoring of application and IT general 
controls 

•Discuss the use of automation (tools) for increased 
efficiency and effectiveness of monitoring processes. 

The shift from conceptual elaboration on the concepts and 
applications for monitoring provides the following help for 
the professional and the enterprise to implement monitoring: 
•Diverse examples 
•Case studies 
•Practical tools 

This publication will be helpful for: 

•Executives/senior management — by providing an executive 
overview and suggested questions to determine whether the 
monitoring of internal controls is adequately addressed 
•Business process owners — by describing how to monitor key 
IT application controls and how to automate monitoring 
processes 

•IT professionals — by supplying templates and tools that can 
be leveraged when developing and implementing a 
monitoring project. 

IV. Conclusion 

The evolution of e-commerce, using a public network like the 
internet as a technological infra- structure to support the 
implementation of the information and communication 
channel, has produced a huge impact on what concerns the 
implementation of internal control systems and the 
information systems’ auditing practices, when the 
commercial transactions are done electronically. In the 
present paper we suggest that, should an organization decide 
to implement any electronic commerce model that will 
implement its information and communication channel 
trough the internet, it should extend its intra-organizational 
internal control system to its inter-organizational control. The 
execution of this enlargement is not common and its 
feasibility is strongly related to the previous implementation 
of the intra-organizational control, based on a reliable 
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framework, which will assure the coherence and the stability 
in the implementation of a risk based internal control system. 
The extension of the intra-organizational internal control to 
the inter-organizational control will allow the 
implementation of a risk based real-time auditing system, 
using the software agents’ technology. This auditing system 
shall be involved in the core and support processes of any 
organization that chose electronic commercial transactions, 
taking advantages from the markets globalization and the 
internet ubiquity. As a future work attempt, there is still the 
need of designing the internal control system architecture that 
we have, in the present paper suggested. 
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